http://nzitf.org.nz/Ghost 0.11Sat, 12 Aug 2017 22:03:37 GMT60In recent months, two headline-grabbing cyber attacks targeting enterprise and corporate networks radiated quickly across the globe. NZITF wants to take this opportunity to remind New Zealand businesses to practice good cyber security to reduce the risk of being compromised.

In recent months, two headline-grabbing cyber attacks targeting enterprise and corporate networks radiated quickly across the globe. NZITF wants to take this opportunity to remind New Zealand businesses to practice good cyber security to reduce the risk of being compromised.

In May, a large coordinated attack called WannaCry spread to over 150 countries. Over 300,000 computers were infected. In late-June, an attack known as Petya (a.k.a. NotPetya or GoldenEye) was unleashed with similar global ripple effects.

WannaCry and Petya / NotPetya expose vulnerabilities in Windows-based computer systems in what is known as a ransomware attack. Ransomware is a form of malicious software that infects a computer, encrypts the data that the computer has access to and restricts access to it until a ransom is paid to unlock it.

WannaCry affected many organisations including UK’s National Health Service, Spain’s Telefonia, FedEx and Deutsche Bahn, alongside countless smaller organisations in many other countries. New Zealand was comparatively unaffected, with only a small number of WannaCry infections reported.

Petya / NotPetya also largely missed New Zealand. However, several organisations with international links or the local arms of such companies did take precautions. These included Maersk shipping in New Zealand and Ports of Auckland.

While theories swirl regarding the motivation and attribution for WannaCry and Petya / NotPetya, it illustrated a potential lack of preparation on the part of several large corporates.

Ransomware is nothing new, but in the last three years ransomware attacks have grown in number and sophistication. As part of the global internet community New Zealand companies and internet users have not been immune.

While there is more yet to learn about the architecture and mechanics of WannaCry and Petya / NotPetya, there are some simple practical actions you should take to lessen your chances of being affected.

Take care with your email

Ransomware Infections often spread through email so the most important thing you can do is take care with your email. Don’t open unexpected attachments or click on links in suspicious emails.

Install the latest patches & security updates

Unpatched computers are more likely to be infected, so you should install all patches and updates Microsoft has released to block WannaCry and Petya / NotPetya ransomware. If you’re running the latest version of Windows, this will happen automatically – provided you have automatic updates turned on.

Backup your data regularly

You should regularly backup your data and make sure you have offline backups. That way, if you are infected with ransomware, it can’t encrypt your backups.

What do you do if you get infected?

If you are infected you should resist the temptation to pay the ransom. People undertaking ransomware attacks are invariably linked to criminal networks. By paying you are funding organised crime and encourage further ransomware attacks. Instead, you should seek help from CERT NZ and/or a reputable cybersecurity firm.

Finally, it’s important to know that ransomware is just one part of the cyber attack threat environment. Cyber attack takes many forms – from viruses and worms, to denial-of-service and phishing; from social engineering to invoice fraud.

The message from WannaCry and Petya / NotPetya is clear. All organisations are in the firing line and New Zealand must remain vigilant. Safe and hygienic cybersecurity is more important than ever – it can make all the difference.

]]>The New Zealand Internet Task Force (NZITF) welcomes the Government’s launch of a dedicated Computer Emergency Response Team (CERT) for New Zealand.

Newly-established CERT NZ opened its doors in early April. Its role includes incident response and triage, situational awareness, advice and outreach, international collaboration with other CERTS, and

Newly-established CERT NZ opened its doors in early April. Its role includes incident response and triage, situational awareness, advice and outreach, international collaboration with other CERTS, and co-ordination of serious cyber incidents.

NZITF Chair Barry Brailey says CERT NZ has been a long time coming and will fulfill an important function in providing up-to-date information and advice to New Zealanders with cybersecurity concerns. Its focus is complementary to NZITF’s own, related mission to improve the cybersecurity posture of New Zealand.

“We look forward to enjoying a collaborative and cooperative working relationship with the team at CERT NZ. Our trusted community of InfoSec specialists from government, law enforcement, academia, IT and private sector industries stand ready to help CERT NZ achieve its goals.

“Unity of effort is important in an area as fast changing as cybersecurity. In the coming months we’ll be looking at how best we can help CERT NZ. Ultimately, the more collaborations there are, the better the outcomes for the thousands of individuals and businesses across New Zealand who live, work and play online.”

For the past several years, NZITF has been running a Coordinated Disclosure system. With Coordinated Disclosure, anybody who finds a vulnerability in a website or ICT system can report it to disclosure@nzitf.org.nz. This arrangement for continue for now, while CERT NZ establishes itself.

]]>Email invoice fraud continues to be a problem affecting small and medium business in New Zealand. But there are some simple, practical actions you can take to reduce your risk.

This type of fraud happens via hacked email accounts, which are used to resend duplicate invoices that look just like

]]>http://nzitf.org.nz/2017/02/09/email-invoice-fraud-proves-persistent/a8391be2-13ea-4af8-aa2c-5b66269ff612Thu, 09 Feb 2017 07:50:09 GMTEmail invoice fraud continues to be a problem affecting small and medium business in New Zealand. But there are some simple, practical actions you can take to reduce your risk.

This type of fraud happens via hacked email accounts, which are used to resend duplicate invoices that look just like the real thing. It works like this:

Hackers access a business’s Sent mail to find a recent customer invoice. They copy the invoice, but alter the payment bank account number. They then email the customer with the modified invoice and ask the customer to instead pay into the new, fraudulent account number. They may offer a dubious reason for the new payment bank account number, such as the original account is being “audited”.

Xero’s Head of Security, Paul Macpherson, says a number of businesses fell victim to this scam last year. Unfortunately, cases are still being reported.

“What we've had reported is mostly targeting the building industry. It's small numbers, but seems to be slowly increasing. We're getting about one report a week. Being the building industry, some of the invoices are for quite large amounts.”

Email invoice fraud is all the more insidious because it has two victims - the business whose email account is hacked, and the customer of the hacked business who receives and pays the fake invoice.

Macpherson says it’s important that all businesses involved in sending and / or paying invoices are hygienic with their accounting and do everything they can to secure their email accounts. The following preventative actions will help mitigate the threat.

Scrutinise and match suspicious bank account numbers against existing numbers in your accounting system. ‘Red flag’ and follow up any discrepancies. Treat the arrival of unexpected invoices with the utmost caution.

Verify over the phone any new payee information that you’ve been emailed - both when loading new payees and when making changes to existing payee information.

Educate & communicate

Make your staff aware of the issue. Look out for emails that ask for payment with new bank details. The best thing to do if this happens is pick up the phone to check the authenticity of the invoice you’ve received.

You may want to consider enforcing a policy that any change of bank account number on an invoice is validated through a non-email channel and by at least two of your supplier’s contacts.

Secure your email account

Make sure the latest antivirus and security updates are installed on any computer or device you use to deal with invoices. Having a long, strong email password is also vital.

Use an extra layer of security

If your email provider offers two-factor (2FA) or multi-factor (MFA) authentication, you should use it. 2FA/MFA provides another layer of security to prevent hacking. It significantly reduces the risk of your email being maliciously accessed and used to commit invoice fraud.

Quickly report if you’re affected

If you or one of your customers has paid into a fraudulent bank account, don’t panic. It’s important to contact the banks involved right away, making sure the issue is escalated to their fraud teams. Also advise the Police.

Your customer’s bank needs the details of the bank account the payment was made to so they can advise the receiving bank to put a hold on the money. Invoice fraud payments are typically made into the account of what Macpherson describes as a "money mule," who will withdraw the funds and send them offshore to the hacker.

For their part, Xero customers should additionally contact Xero if they’re targeted. Macpherson says the company has procedures in place with the fraud teams of New Zealand banks to notify them of accounts being used for fraud. This is useful even in cases where no payment is made to the fraudulent account, as banks are often able to identify the money mule.

The upshot is this. Sound email security, accounting hygiene and eagle-eyed vigilance by everybody along the invoice chain is key in avoiding the worst that can happen.

Three hundred years ago, Benjamin Franklin commented that ‘an ounce of prevention is worth a pound of cure’. The advice is worth heeding because nowhere is the adage truer than when it comes to email invoice fraud.

]]>Four years ago, 68 million usernames and passwords were released in a data breach at US file hosting service Dropbox. Only recently made public, the scale and nature of the breach has been of interest to the security community, including here at NZITF.

Importantly, NZITF members got a copy of

]]>http://nzitf.org.nz/2016/11/28/nzitf-response-to-dropbox-data-breach/d240f1c1-de8d-49f5-832a-8758431c7459Mon, 28 Nov 2016 05:59:08 GMTFour years ago, 68 million usernames and passwords were released in a data breach at US file hosting service Dropbox. Only recently made public, the scale and nature of the breach has been of interest to the security community, including here at NZITF.

Importantly, NZITF members got a copy of the data that was breached to understand how New Zealand organisations were exposed and how corrective action can best be taken in future.

In addition to normal, operational efforts that NZITF members took to identify and contact the compromised Dropbox account holders in New Zealand, we examined.nz parts of the dataset to try and understand how organisations here are using file-hosting services like Dropbox.

This blog post sets out what we found.

Many New Zealand organisations use Dropbox

It was difficult to establish how many New Zealand accounts were compromised because we couldn’t search for people's gmail, yahoo or hotmail accounts. What we were able to do however was sort the data to find email addresses ending in .nz – e.g. yourname@work.co.nz or name.lastname@agency.govt.nz. There were 120,100 compromised accounts. Or, put another way, a little over 2 percent of the New Zealand population with a Dropbox account registered to a .nz domain name.

The use of Dropbox by New Zealand organisations may amount to shadow IT

We considered whether or not the use of Dropbox by the compromised New Zealand accounts was shadow IT – where IT solutions are used without organisational approval – and, if so, what kind of corporate information was sitting in unauthorised Dropbox accounts.

It was important to approach this carefully, because Dropbox does not, in and of itself, equal shadow IT. In fact, many organisations make business decisions to use Dropbox, OneDrive or Google Drive for back-ups, document sharing or working overseas.

Nevertheless, we were confident that a number of the organisations whose employees had Dropbox accounts linked to their work email address were bona-fide examples of shadow IT. It was clear from looking at the .govt.nz accounts involved in the breach how many organisations have Dropbox in their systems potentially without official IT sanction – especially given Dropbox is not an approved cloud software solution for New Zealand government IT departments.

Of notable interest is that, apart from the 2500 .govt.nz accounts, most of the names were probably not examples of shadow IT. .ac.nz, for example, is likely to include a large amount of students and teaching assistants with university email addresses. It isn’t a huge surprise that they would use Dropbox. With the Vodafone accounts, it’s reasonable to assume these are customers using their ISP-issued email account for Dropbox.

The news about the Dropbox data breach underscores the valuable role that the incoming CERT-NZ is expected to play.

As a trust-based membership organisation, NZITF has security professionals across New Zealand, but members aren’t spread evenly across the country. This means that there will inevitably be some organisations on data breach lists like the Dropbox list that we don't know or have a relationship with. A nationally recognised leader in CERT-NZ will bring resource and name recognition in contacting those organisations as well as running national coordination for breach notifications.

Data breaches like Dropbox are a reminder that the role of the incoming CERT-NZ will also involve coordinating and mitigating breaches in the government sector. Organisations with.govt.nz domain names include local councils, crown entities and large central government agencies. Many lack sophisticated information security teams and resources. CERT-NZ’s role is therefore expected to be doubly important in terms of data breach advice and leadership.

Strong, unique passwords make the difference

While we didn’t expend time or effort in decoding the password hashes, data breaches like Dropbox are a useful reminder about the importance of strong, unique passwords. It’s also particularly important to remind people and organisations that using two or three passwords across all their online accounts is not a good idea.

A useful resource in creating strong unique passwords can be found in Stanford University's password policy infographic. This shows how easy it is to build and remember strong, unique passwords of 16+ characters.

Get proactive about online accounts and data breaches

There are a number of services available that people and organisations can use to check if their email account has been included in a data breach – including HaveIBeenPwned. Here, users can register their email account(s) and be notified if they are involved in a breach that is made public.

HaveIBeenPwned also offers a service where users can receive domain-based alerts. This is useful for organisations, as security teams can set up alerts for anytime a work email account is breached and made public.

With over two billion accounts compromised in 2016 proactive alert services like these are a useful tool in helping alleviate concerns, and NZITF encourages all New Zealanders and New Zealand organisations to stay vigilant.

]]>Technology developed by Dutch-headquartered firm EclecticIQ is expected to prove valuable for the New Zealand Internet Task Force as it looks to streamline and improve the way it shares information about cybersecurity threats.

The organisations have entered into an agreement, which will see the Task Force make use of EclecticIQ’

]]>http://nzitf.org.nz/2016/11/10/eclecticiq-helps-boost-new-zealand-internet-task-force-information-sharing-capability/8964ce18-e39f-4bee-bdea-47a35ff10386Wed, 09 Nov 2016 19:00:00 GMTTechnology developed by Dutch-headquartered firm EclecticIQ is expected to prove valuable for the New Zealand Internet Task Force as it looks to streamline and improve the way it shares information about cybersecurity threats.

The organisations have entered into an agreement, which will see the Task Force make use of EclecticIQ’s Threat Intelligence Platform – a highly secure web application that consolidates cyber threat intelligence from multiple sources and allows it to be easily analysed and shared.

]]>Threat Intelligence Platform from EclecticIQ to streamline information sharing on cybersecurity threats for the members of the New Zealand Internet Task Force.

WELLINGTON, New Zealand – 10 November 2016. The New Zealand Internet Task Force (NZITF) will connect its members through EclecticIQ Platform – a highly secure solution that consolidates cyber threat

]]>http://nzitf.org.nz/2016/11/10/eclecticiq-boosts-information-sharing-for-new-zealand-internet-task-force/6b9ac3a3-ae12-4418-983f-48b3694b67dcWed, 09 Nov 2016 19:00:00 GMTThreat Intelligence Platform from EclecticIQ to streamline information sharing on cybersecurity threats for the members of the New Zealand Internet Task Force.

WELLINGTON, New Zealand – 10 November 2016. The New Zealand Internet Task Force (NZITF) will connect its members through EclecticIQ Platform – a highly secure solution that consolidates cyber threat intelligence from multiple sources to foster in-depth analysis, and enables easier information sharing with trusted partners. EclecticIQ makes extensive use of STIX and TAXII, which are OASIS open-source standards enabling automation of threat intelligence and incident response workflows.

With the agreement between NZITF and EclecticIQ, members of the New Zealand Internet Taskforce will have access to EclecticIQ Platform through an online portal. Through EclecticIQ Platform, NZITF members can share critical information about malware and other online threats among themselves and with New Zealand’s wider cyber security community.

New Zealand Internet Task Force Chair Barry Brailey says information sharing is an important part of working to combat cyber threats, and a tactical imperative as the number of global security incidents continues to rise.

“EclecticIQ Platform provides a central hub for us to gather, digest, normalize and de-duplicate intelligence from our member base. We can streamline and funnel information coming from many different places into a single view, giving us instant access to information that we’ve previously only ever shared via email and face to face,” says Brailey.

“Our agreement with EclecticIQ is a step along the road towards more automated data sharing for the Task Force which, ultimately, is a good thing for New Zealand’s overall security posture,” he says.

EclecticIQ CEO Joep Gommers says the agreement positions the New Zealand Internet Task Force extremely well to make better use of the increasing volume of cyber threat intelligence.

“In helping defend and mitigate cyber-based threats, the Task Force needs to be able to collaborate, and to quickly and easily share information. We’re pleased, through this agreement, to be able to help them do this with our Threat Intelligence Platform,” says Gommers.

Deployment and support of the EclecticIQ Platform is being performed by Cosive, a specialist in incident response and threat intelligence, and EclecticIQ’s local representative.

A presentation on how the New Zealand Internet Task Force plans to make use of EclecticIQ’s Threat Intelligence Platform will be given at the upcoming NZITF Conference, being held across two days in mid-November.

About NZITF:
The New Zealand Internet Task Force (NZITF) is a non-profit with the mission of improving the cyber security posture of New Zealand. It’s a forum based on mutual trust for debate, networking, information sharing, and collaboration on matters relating to the cyber security of New Zealand.

About EclecticIQ:
EclecticIQ works with large enterprises, governments and MSSPs to improve cyber threat detection, prevention and response. Its analyst-centric EclecticIQ Platform boosts effectiveness of Threat Intelligence practices and intelligence-driven SOC and CERT operations.

The company won Deloitte’s Technology FAST50 Rising Star Award for “Most
Disruptive Innovator”. EclecticIQ is a member of OASIS CTI TC and affiliate member of FS-ISAC.

www.eclecticiq.com

About Cosive:
Cosive helps Australian and New Zealand organisations make better use of their threat intelligence. Cosive are the local representative for EclecticIQ Platform, as well as providing intelligence feeds, integration and consulting services, bespoke software systems development, STIX/TAXII and CybOX consultancy, and incident response guidance.

www.cosive.com

-END-

]]>The New Zealand Internet Task Force (NZITF) advises that an unknown international group has this week begun threatening New Zealand organisations with Distributed Denial of Service (DDoS) attacks.

DDoS attacks are attempts to make an organisation’s Internet links or network unavailable to its users for an extended length of

The New Zealand Internet Task Force (NZITF) advises that an unknown international group has this week begun threatening New Zealand organisations with Distributed Denial of Service (DDoS) attacks.

DDoS attacks are attempts to make an organisation’s Internet links or network unavailable to its users for an extended length of time.

This latest DDoS threat appears as an email threatening to take down an organisation’s Internet links unless substantial payments in the digital currency Bitcoin are made.

NZITF Chair Barry Brailey warns the threat is not an idle one and should be taken extremely seriously as the networks of some New Zealand organisations have already been targetted.

“The networks of at least four New Zealand organisations that NZITF knows of have been affected, so far. A number of Australian organisations have also been affected,” he says.

This unknown group of criminals have been sending emails to a number of addresses within an organisation. Sometimes these are support or helpdesk addresses, other times they are directed at individuals.

The emails contain statements threatening DDoS, such as:

“Your site is going under attack unless you pay 25 Bitcoin.”

“We are aware that you probably don't have 25 BTC at the moment, so we are giving you 24 hours.”

“IMPORTANT: You don’t even have to reply. Just pay 25 BTC to [bitcoin address] – we will know it’s you and you will never hear from us again.”

The emails may also provide links to news articles about other attacks the group has conducted.

NZITF urges all New Zealand firms and organisations to be on the alert and consider the:

Don’t pay. Even if this stops a current attack, it makes your organisation a likely target for future exploitation as you have a history of making payments.

Educate all staff to be on the lookout for any emails matching the descriptions above. Have them alert appropriate security personnel within the organisation as soon as possible.

Establish points of contact with your Internet Service Providers (ISP) in the event that you need them to perform traffic filtering. Defense against many attack types is most effective when performed before it reaches your network. To date NZITF has had reports of organizations being able to handle these attacks effectively through collaboration with their ISPs.

Establish a baseline of normal activity on your internal network to determine uncharacteristic levels of Internet traffic in the event of an attack. Report any attack to the appropriate authorities.

For more tech savvy organisations here are some additional steps to consider:

Make use of DDoS mitigation services or content delivery networks to serve Web content. Solutions that specialize in protecting Web content may be more cost effective and, given the limited types of traffic that should be allowed, might be able to more aggressively drop malicious traffic.

]]>The New Zealand Internet Task Force (NZITF) has released guidelines on how New Zealanders and NZ companies can implement coordinated disclosure. These guidelines will help security researchers and organisations to work together when disclosing and addressing vulnerabilities in ICT systems.

The New Zealand Internet Task Force (NZITF) has released guidelines on how New Zealanders and NZ companies can implement coordinated disclosure. These guidelines will help security researchers and organisations to work together when disclosing and addressing vulnerabilities in ICT systems.

New Zealand businesses and organisations do not want to have ICT systems (such as websites) with vulnerabilities in them. Security researchers want to be able to notify organisations of vulnerabilities they come across without fear of legal action or negative publicity. It is important that we are all clear about what is expected of us when disclosing a vulnerability or when someone contacts us with a vulnerability.

Because the NZITF has a broad membership of security professionals we have designed these guidelines to give people an easy to use introduction to coordinated disclosure. Barry Brailey, the NZITF’s Chair said “I hope the guidelines set some clear boundaries and ultimately make it easier for security professionals to work together and help improve New Zealand’s cyber security posture.”

The New Zealand Internet Task Force (NZITF) is currently working on responsible disclosure guidelines. These guidelines will help security researchers and organisations to work together when disclosing and addressing vulnerabilities in ICT systems.

The New Zealand Internet Task Force (NZITF) is currently working on responsible disclosure guidelines. These guidelines will help security researchers and organisations to work together when disclosing and addressing vulnerabilities in ICT systems.

New Zealand businesses and organisations do not want to have ICT systems (such as websites) with vulnerabilities in them. Security researchers want to be able to notify organisations of vulnerabilities they come across without fear of legal action or negative publicity. It is important that we are all clear about what is expected of us when disclosing a vulnerability or when someone contacts us with a vulnerability.

Because the NZITF has a broad membership of security professionals we think that we can provide guidance that will add value, set some clear boundaries and ultimately make it easier for security professionals to work together and help improve New Zealand’s cyber security posture. The NZITF is intending to hold a public consultation on the guidelines later this year.

Local group scoops top Australian security award

Media release – 7 June 2013

The New Zealand Internet Task Force (NZITF) has beaten the Australians at their own game, taking out the top prize in the prestigious AusCERT Awards.

Winner of the ‘Best Security Initiative,’ the NZITF was recognised last month for its bringing together of security experts from across the country’s government and private sector security communities.

New Zealand Internet Task Force Chair Mike Seddon says members of the NZITF are delighted to have been recognised on Australian soil, with the AusCERT win testament to the strength and effectiveness of the Task Force’s proactive cyber security activities.

A volunteer group of security professionals across government, law enforcement, academia, information security and private sector industries, the NZITF works collaboratively to improve the cyber security posture of New Zealand in defending against and mitigating cyber based threats.

Seddon says the comprehensive make-up of the NZITF affords it a unique view of the opportunities and threats across the entire spectrum of IT security and risk.

“Our approach is grounded in collaboration and trust. In sharing amongst ourselves our knowledge and experience, the general delivery and state of IT security and risk management in New Zealand is significantly improved.
“We are a rather unique outfit in a global sense and that is why the benefits we have and will continue to deliver are a key contributor as to why New Zealand could be considered world leading in this arena.”

]]>Posted 2 May 2012
Over 400 people turned out in person to hear Bruce Schneier’s lecture on the topic of his latest book Liars and Outliers. More than 1000 people viewed the live streaming of the event online. This event was hosted by the NZITF and was sponsored by]]>http://nzitf.org.nz/2012/05/02/bruce-schneier-public-lecture/c1c4ac94-1ef2-467c-98e3-ce9e961aa845Tue, 01 May 2012 20:28:00 GMTPosted 2 May 2012
Over 400 people turned out in person to hear Bruce Schneier’s lecture on the topic of his latest book Liars and Outliers. More than 1000 people viewed the live streaming of the event online. This event was hosted by the NZITF and was sponsored by InternetNZ and Telecom New Zealand.

The event began with an overview of the NZITF by its Chair, Paul McKitrick, which can be viewed below or downloaded here.

Laura Bell was invited to provide an overview of the in2securITy initiative, a non-profit organisation which aims to encourage IT students into the IT Security field, and then supports those students into careers in IT Security. The video can be downloaded here.

Bruce Schneier then took the stage for the main event and gave an interesting and insightful lecture on security, trust and society. You can download it here.

Thanks go to Bruce for kindly taking time out of his busy schedule to give this talk for free. Thank you again InternetNZ and Telecom New Zealand for your generous sponsorship that enabled us to put on this free event for the community and to stream it online.

]]>New Zealand websites named among Australasia’s most trustworthy

New Zealand websites named among Australasia’s most trustworthy A quartet of New Zealand organisations have been recognised as among the most trustworthy in Australasia for their commitment to consumer safety, security and privacy online.

New Zealand websites named among Australasia’s most trustworthy A quartet of New Zealand organisations have been recognised as among the most trustworthy in Australasia for their commitment to consumer safety, security and privacy online.

Two of the companies - Trade Me and Xero - are members of the New Zealand Internet Task Force (NZITF) - a non-profit group of Internet security professionals tasked with improving the cyber security posture of New Zealand.

NZITF Chair Barry Brailey congratulates Health Post, Trade Me, New Zealand Post and Xero for their success in the 2014 Online Trust Audit, saying their website security, data protection and privacy policies serve as an exemplar that other New Zealand companies should look to emulate.

“It’s pleasing to see these four local companies leading the way in securing and protecting their customers’ personal data. When organisations like these commit to best practice data protection and privacy, it helps instil tremendous trust and confidence in their online services.

“We strongly encourage other New Zealand businesses to learn from their example."

More information about the 2014 Australia and New Zealand (A/NZ) Online Trust Audit is available at www.otalliance.org. For more information about the New Zealand Internet Task Force (NZITF) visit www.nzitf.org.nz

Contact:
Barry Brailey
Chair, NZITF

"SHELL SHOCK" Bash vulnerability

Advice for Businesses and End Users
What can we do now?

Businesses and other Website Owners

1) Patch fast, patch often.
Keep a close watch on the website of your software vendors. There isn't likely to be a 'one big fix' patch for a number of days. There may however be multiple smaller patches which fix individual aspects of the vulnerability. It's better to apply patches even if they only provide partial fixes
2) Reduce your 'attack surface'
Identify business critical systems and less critical, consider shutting down less critical systems to reduce your attack surface until a patch is released. For vunerable business critical services, ensure they are located behind some form of border protection and that you have a regular, verified method of data backup and recovery. Placing services behind Web Application Firewalls (as opposed to a network firewall) which have been tuned to detect this attack will provide some protection.
3) Monitor Logs
Increase the frequency with which you monitor you logs. Keep an eye on anything which looks out of the ordinary and take steps to investigate. You will want to keep an eye on your webserver access logs in particular to see if there is anything strange showing up. We have had some reports of administrators using the following 'grep' string to search through web server access logs to see if there have been any exploit attempts:
grep '() {'
4) Educate yourself
Information about the vulnerability is presented on the NZITF website (further down this page). This is an evolving issue. Make sure that you check back on this page regularly as we will be adding more information as it comes to hand. There is also a very well written write up here: http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
5) Test your servers:
There are a number of vulnerabilities being tracked at present (CVE-2014-6271 and CVE-2014-7169).
To test if your version of Bash is vulnerable to the CVE-2014-6271 issue, run the following command:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the output of the above command looks as follows:

vulnerable
this is a test

you are using a vulnerable version of Bash. The patch used to fix this issue ensures that no code is allowed after the end of a Bash function. Thus, if you run the above example with the patched version of Bash, you should get an output similar to:

There are also a number of experimental tools which attempt to get your website to demonstrate if they are vulnerable. These are not a fool proof way of testing and can give a false result in a large number of cases. We would advise businesses to test using the bash code above, and if a server is vulnerable and runs a service that accepts traffic on the internet, assume that it is able to be exploited. Use the services below at your own risk and on your own servers only.
• http://www.shellshocktest.com/
• http://shellshock.brandonpotter.com/

End Users:
1) Patch fast, patch often.
Make sure that you have automatic updates turned on for your operating system. In general apply vendor patches as soon as they are available.

For users on Apple Mac computers running OSX, you should ensure that you
check on the App Store for Operating System updates atleast once a day until
this vulnerability is resolved.

For more advanced users, if you manage your own home network. Don't forget to ensure that your router/DSL modem software is upto date and any administration webpage is not accessable from the Internet.
2) Be extra vigilant of malware and scams over the next few weeks.
If there is an increase in the number of websites being compromised, these could be used to launch malware or scams. Make sure that you keep your paranoid filter on high for the next little while.

This may show up as more people calling you during dinner to offer to help you 'fix' your computer. These are almost always scams. Be extra wary of clicking on links in emails or social media sites from people you don't trust
3) Educate yourself
Check back often. This is an emerging issue. If there is more we think you can do, we'll post it here, so check back.

CVE-2014-6271 "SHELL SHOCK"

Bash Code Injection Vulnerability

Overview
A critical vulnerability has been discovered in the Bourne again shell, commonly known asbash and present in most Linux and UNIX distributions, including Mac OS X. Administrators are urged to patch immediately.
This vulnerability allows attackers to compromise systems remotely, including systems used as web servers. It is as least as severe as the recent Heartbleed exploit and affects a large number of Internet-facing systems.

Details
The bash command shell processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code.
This is a high severity remote code execution vulnerability that potentially affects any system with bash installed, even if bash is not used interactively on that system. Exploits have been demonstrated that reach vulnerable bash versions via sshd, Apache, and dhclient, and common utilities such as procmail are believed to be vulnerable as well.
All mainstream linux distributions and Mac OS X are vulnerable, and should be patched immediately. In addition, affected systems should be repeatedly repatched as new patches become available.

Detecting vulnerable versions
To test if your version of Bash is vulnerable to this issue, run the following command:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the output of the above command looks as follows:
vulnerable
this is a test
you are using a vulnerable version of Bash. The patch used to fix this issue ensures that no code is allowed after the end of a Bash function. Thus, if you run the above example with the patched version of Bash, you should get an output similar to:

GameOver Zeus P2P Malware

Posted: 3 June 2014
Content courtesy of US-CERT
Overview
GameOver Zeus (GOZ), a peer-to-peer (P2P) variant of the Zeus family of bank credential-stealing malware identified in September 2011, uses a decentralized network infrastructure of compromised personal computers and web servers to execute command-and-control. The United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ), is releasing this Technical Alert to provide further information about the GameOver Zeus botnet.
Description
GOZ, which is often propagated through spam and phishing messages, is primarily used by cybercriminals to harvest banking information, such as login credentials, from a victim’s computer. Infected systems can also be used to engage in other malicious activities, such as sending spam or participating in distributed denial-of-service (DDoS) attacks.
Prior variants of the Zeus malware utilized a centralized command and control (C2) botnet infrastructure to execute commands. Centralized C2 servers are routinely tracked and blocked by the security community. GOZ, however, utilizes a P2P network of infected hosts to communicate and distribute data, and employs encryption to evade detection. These peers act as a massive proxy network that is used to propagate binary updates, distribute configuration files, and to send stolen data. Without a single point of failure, the resiliency of GOZ’s P2P infrastructure makes takedown efforts more difficult.
Impact
A system infected with GOZ may be employed to send spam, participate in DDoS attacks, and harvest users' credentials for online services, including banking services.
Solution
Users are recommended to take the following actions to remediate GOZ infections:
• Use and maintain anti-virus software - Anti-virus software recognizes and protects your computer against most known viruses. It is important to keep your anti-virus software up-to-date (see Understanding Anti-Virus Software for more information).
• Change your passwords - Your original passwords may have been compromised during the infection, so you should change them (see Choosing and Protecting Passwords for more information).
• Keep your operating system and application software up-to-date - Install software patches so that attackers can't take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it (see Understanding Patches for more information).
• Use anti-malware tools - Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool (examples below) that will help with the removal of GOZ from your system.
F-Secure http://www.f-secure.com/en/web/homeglobal/online-scanner (Windows Vista, 7 and 8) http://www.f-secure.com/en/web/labsglobal/removal-tools/-/carousel/view/142(Windows XP)
Heimdal http://goz.heimdalsecurity.com/ (Microsoft Windows XP, Vista, 7, 8 and 8.1)
Microsoft http://www.microsoft.com/security/scanner/en-us/default.aspx (Windows 8.1, Windows 8, Windows 7, Windows Vista, and Windows XP)
Sophos http://www.sophos.com/VirusRemoval (Windows XP (SP2) and above)
Symantec http://www.symantec.com/connect/blogs/international-takedown-wounds-gameover-zeus-cybercrime-network (Windows XP, Windows Vista and Windows 7)
Trend Micro http://www.trendmicro.com/threatdetector (Windows XP, Windows Vista, Windows 7, Windows 8/8.1, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2)
The above are examples only and do not constitute an exhaustive list. The U.S. Government does not endorse or support any particular product or vendor.
• GOZ has been associated with the CryptoLocker malware. For more information on this malware, please visit the CryptoLocker Ransomware Infections page.

HeartBleed vulnerability - The Next Steps

Posted: 14 April 2014
The NZITF has produced a document outlining the next steps that organisations can take as they work to protect themselves against he HeartBleed vulnerability.

HeartBleed vulnerability warning for OpenSSL users

Posted: 9 April 2014
New Zealand Internet Task Force is warning website owners and IT managers that their SSL certificate based security may have been breached and private information may have been stolen after the HeartBleed vulnerability was identified.

Individual web users do not have to do anything however website owners and IT managers are advised to check their website, Mail severs and VPN servers and patch them where required.

The vulnerability in OpenSSL software, commonly used to secure web sites, is easy to exploit and virtually impossible to detect when it has been exploited. Any web site, Mail server or VPN server using a vulnerable version of OpenSSL may have been attacked by criminals stealing data or eavesdropping on communications to and from the site. Now that this vulnerability is widely known the likelihood of criminals using this exploit are significantly higher."

To fix the vulnerability, you are advised to follow the below list in the order provided:
• 1. Establish if your site’s servers are vulnerable.
• 2. Patch the vulnerable servers.
• 3. Revoke/reissue certificates.

Establishing if your site is vulnerable
There are a number of online tools available which website owners can use to establish if their site is vulnerable to this exploit:
• https://www.ssllabs.com/ssltest/

Revoking/Reissuing Keys and Certificates
If you have had a vulnerable server for any length of time at all, it is imperative, that you revoke your website certificate and have it reissued using new crypto keys. The mechanisms around how to do this are outside the scope of this document, but you should immediately engage with your trusted IT security advisor to ensure these steps are taken. Patching alone will reduce your risk of future data compromise, but cannot fix protect any data that has already been captured through this method. This could include the cryptographic keys used to protect the data, as well as user IDs and passwords. You should carry out a risk assessment to determine what the implications are and what to address. Individuals should have separate passwords for different web services, and we recommend changing those passwords frequently.

Consultation open on Responsible Disclosure Guidelines

Posted: 8 November 2013
Today the New Zealand Internet Task Force (the NZITF) has released draft guidelines on responsible disclosure. These guidelines will help security researchers and organisations that operate ICT systems to work together to identify, understand and fix security vulnerabilities in New Zealand websites and ICT systems.

We are seeking your views on these draft guidelines to make sure that they are high quality and provide useful guidance on the aspects of responsible disclosure that need covering.

We welcome any comments or suggestions that you have on how the guidelines could be improved. We would also like to hear from you if your organisation is interesting in being named as a third party for finders to contact and act as an intermediary between them and the ICT owners that they deal with.

NZITF wins Australian Information Security award

Posted: 23 May 2013
The New Zealand Internet Task Force has won the Award for Best Security Initiative in the 2013 Australian Information Security Awards. The awards were held at the 2013 AusCERT Information Security Conference, and are run in conjunctions with SC Magazine.

The Best Security Initiative is presented to an individual or organisation who has developed solutions to security threats, and will build trust and confidence in the online environment.

NZITF finalist in 2013 Australian Information Security Awards

Posted 10 May 2013
The New Zealand Internet Task Force has been announced as a finalist in the Best Security Initiative category in the 2013 Australian Information Security Awards. The award for Best Security Initiative is presented to an individual or organisation who has developed solutions to security threats.

NZITF Highly Commended in ANZIAs

Posted 10 October 2012
The NZITF has received a Highly Commended recognition in the Security & Privacy category at the 2012 Australia and New Zealand Internet Awards (the ANZIAs). The ANZIA judges agreed that the NZITF:

"contributes to a safer online environment for New Zealand businesses and individuals, through its’ initiatives to enhance the capabilities of the security community".

The NZITF Board would like to extend its congratulations to Aura Information Security, a member of the NZITF, who won the Security and Product category for their RedEye Security product.

NZITF finalist in ANZIAs

Posted: 14 August 2012
The NZITF has been announced as a finalist in the Security & Privacy category at the 2012 Australia and New Zealand Internet Awards(the ANZIAs). Aura Information Security, a member of the NZITF, has also been nominated for its RedEye Security product.

The ANZIAs are a collaboration between auDA and InternetNZ, and an annual event celebrating the achievements of organisations, businesses and individuals that have made significant contributions to the development and use of the Internet in Australia and New Zealand. ANZIA winners receive recognition as industry leaders, for setting new standards in making the Internet a more inclusive, accessible and safe place. The ANZIAs category winners will be announced on October 12, 2012, for more details please visit the ANZIA website.

DNSChanger Diagnostic Check

Over 1000 New Zealand computers are believed to be infected with the DNSChanger malware, on 9 July it is likely that these infected machines will no longer be able to connected to the Internet.

To check if your machine is infected, and to find out how to fix this please visit the DNSChanger Diagnostic website. This website is a joint initiative between NetSafe, the New Zealand National Cyber Security Centre, and the Ministry of Economic Development.